What are the PCI / DSS standards?
The Payment Card Industry (PCI) Data Security Standards (DSS) are a set of security rules and practices governing payment account data. They were established in 2006 by major payment processors (including MasterCard, Visa, and American Express) to protect their users’ payment data and prevent fraud.
PCI standards are extremely important because they are both very effective at reducing payments fraud, and non-compliance with them can be very expensive. A payment processor may, at their discretion, fine between $5,000 and $100,000 per month when merchants are in violation of the standards. In addition, they can also hike up transaction fees or terminate servicing non-compliant merchants altogether.
Determining the Appropriate Level of Compliance
Per the PCI standards, merchants are assigned a “level” that determines the set of PCI rules they must comply with. Each payment processor assigns a level to a merchant based on its own bespoke criteria. As such merchants may find that they are classified at different levels depending on the credit cards they are accepting.
Additional PCI Compliance Obligations
Depending on the merchant level, some card brands require periodic audits and documentation confirming continued compliance with PCI rules. Failure to comply could result in hefty fines. For example, American Express level 1 merchants could be assessed up to $100,000 for failure to submit their audit forms on time.
PCI Liability insurance
PCI/DSS Liability coverage triggers to indemnify losses due to any alleged or actual noncompliance with PCI standards. This coverage is extremely important given the extent to which merchants are engaging in electronic commerce and how expensive violations (including simply defending alleged violations) can get.
Example PCI Claims
Negligence: Due to turnover in their finance department, the CFO of a company discovers that her VP of Finance failed to submit important annual audit forms to a credit card network before he left the firm. The network is now assessing a $35,000 fee for audit non-compliance. Luckily the company has PCI/DSS coverage in its cyber policy. The CFO submitted a claim, and the insurance carrier covered the cost after the $2,500 retention (deductible).
Violation: The fraud investigation team at a credit card network discovers a set of cards used at a restaurant were all compromised. After conducting its investigation, the team notices that the waiters were storing card data in plain text, a violation of PCI compliance. The card network assesses a $100,000 fine to the restaurant. Fortunately, the restaurant has PCI coverage in its cyber policy. After the policy’s $5,000 deductible, the insurance carrier covered the remaining $95,000.
Have any questions? Email us at support@getcyber.com. Otherwise, if you’re ready get some quotes click here to get started.